[gptalk] Re: "Always use local ADM files..." setting oddness

  • From: <bart.schillebeeks@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 4 Apr 2007 10:33:30 +0200

Isn't that the same as what i've said, alan ? :-) 
 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx


 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan & Margaret
Sent: Wednesday, April 04, 2007 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness



Hi Tom & Tony

 

My take on this is slightly different. I prefer to disable  "automatic Updates 
of ADM files" and disable the "always use Local ADM Files for Group Policy 
Editor" but only have those Templates in the Policy that you want to use. This 
has the following advantages:_

*       Limited bloat since there aren't many ADM files in the Policies 
*       Everyone sees the same thing on all machines 
*       You can have different versions of the same ADM file in different 
policies 
*       Minimal display inside GPEDIT 
*       Other people cannot accidentally change your ADM files 

 

Of course you don't have multi language support though.

 

When you look at ADMX files it moves in the direction of a single set of ADMX 
files used by all policies on the domain. You can't load a subset for each 
policy. This will give you Tom's problem of a very cluttered display. It also 
means if you have one domain and a central store of ADMX files, it is a bit 
difficult to test ADMX files, since if you get one wrong, no one can look at 
any admx settings until you fix it. Perhaps Darren could tell us if there is a 
registry setting to select a different location for ADMX files for testing. But 
then, everyone does there testing in a separate domain ....

 

Alan Cuthbertson

 

 

 Policy Management Software:-

http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

 

ADM Template Editor:-

http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

 

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, 4 April 2007 5:56 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: "Always use local ADM files..." setting oddness

 

Hi tom, 

 

How is it going down under :-)

 

Normal behaviour since the editor just reads all the adm's it finds. In the 
sysvol it's only the assigned templates in the gpo, Locally it's all of them 
you have stocked. 

 

Best thing to do according to me is to 

 

*       "Turn off automatic updates of ADM files"  this will thus not overwrite 
any sysvol adm templates with local versions. 
*       "When group policy is selecting a DC it should use PRIMARY DOMAIN 
CONTROLLER"  this makes sure you always attach to your PDC role. 
*       Disable ADM in NTFRS replication by setting a filter on the sysvol 
replication "*.adm" in the registry , this will exclude *.adm files from 
replicating. (you can find this also in a KB somewhere, lost the KB nr which it 
was :-( ) 

You have thus a system that only allows ADM on the PDC , to which you only 
connect to, your sysvol bloat is gone etc...

 

You now only need to maintain your local ADM files on your GPO administration 
workstation to make sure they are the latest versions, of course if you have 
multiple administrators you need to make sure they have the same ADM's. 

 

This way you will select adm for the PDC's sysvol , in a normal manner, and 
only see those that you've assigned. 

 

Oh yeah Don't change PDC roles , as you will have to re-assing all adm's again 
(or copy them over first) 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorised to state them 
to be the views of any such entity.This Message is in no way legally binding 
and has to be viewed as a personal opinion of the sender. This message reflects 
in no way the views of FORTIS BANK and its associates and AD internet 
Consulting BVBA and its associates. Unless otherwise stated, any pricing 
information given in this message is indicative only, is subject to change and 
does not constitute an offer to deal at any price quoted. Any reference to the 
terms of executed transactions should be treated as preliminary only and 
subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tony Murray [HIQ]
Sent: Wednesday, April 04, 2007 5:58 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] "Always use local ADM files..." setting oddness

Hi all

 

I'm attempting to implement the recommendations for managing ADM files as shown 
in the following KB article:

 

http://support.microsoft.com/kb/816662

 

I've got a management workstation for managing GPOs (actually a VM running W2K3 
SP1) and have implemented the policy "Always use local ADM files for Group 
Policy editor".    All seems to be ok, but for the fact that GPEDIT now loads 
all of the ADM templates from %windir%\inf whenever I open a GPO for editing.  
As we have quite a number of custom and other ADMs this creates a very busy 
view.   The "Always use local ADM files for Group Policy editor" setting 
appears to make the Add/Remove Templates option redundant.

 

Is there any way to have the "Always use local ADM files for Group Policy 
editor" setting in place and selectively add in the ADMs that I want to use for 
each GPO?   Put another way, can I have my cake and eat it?

 

Thanks

Tony

 

 

 

 




________________________________



 

This email or attachment(s) may contain confidential or legally privileged 
information intended for the sole use of the addressee(s). Any use, 
redistribution, disclosure, or reproduction of this message, except as 
intended, is prohibited. If you received this email in error, please notify the 
sender and remove all copies of the message, including any attachments. Any 
views or opinions expressed in this email (unless otherwise stated) may not 
represent those of HealthIntelligence (HIQ Ltd). 

http://www.healthintelligence.org.nz <http://www.healthintelligence.org.nz>  

(1H_S1) 

No Viruses were detected in this message.



________________________________



HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter Service
= = = = = = = = = = = = = = = = = = = = = = = = =
Fortis disclaimer :
http://www.fortis.be/legal/disclaimer.htm

Privacy policy related to banking activities of Fortis:
http://www.fortisbank.be/legal/privacy_policy.htm
= = = = = = = = = = = = = = = = = = = = = = = = =

Other related posts: